BSI Launches IoT Kitemark to Help IT Buyers

The British Standards Institution (BSI) has launched a new kitemark for internet of things (IoT) devices in a move designed to help buyers better identify products they can trust to be reliable and secure.

The move comes after new voluntary measures were introduced in March by the government designed to encourage manufacturers to introduce security-by-design principles into the development of IoT products.

The new BSI Kitemark for IoT Devices is said to build on these guidelines by providing ongoing independent testing to ensure devices work properly and have security controls in place.

There are three types of kitemark: residential, commercial and enhanced.

A BSI spokesperson confirmed to Infosecurity: “the Commercial offering is typical for the enterprise market, unless the nature of the application requires enhanced security, in which case it is tested to the enhanced level.”

The new initiative, which the BSI claims is an industry first, will help IT buyers to sort through the huge variety of products on the market, and hopefully raise baseline security standards.

In order to achieve a kitemark, a manufacturer must first be assessed against ISO 9001, with the product in question required to pass an assessment of functionality and interoperability plus scanning for software vulnerabilities and other security flaws. Further functional and interoperability testing, pen testing and audits are undertaken after that and the kitemark will be withdrawn until deficiencies are rectified, the BSI said.

IoT threats represent a security challenge to IT bosses on several fronts. Compromised devices could be conscripted into botnets for mining crypto-currencies or launching DDoS attacks, unsecured endpoints can be hijacked to provide a stepping stone into corporate networks and mission critical facilities could be sabotaged.

The National Crime Agency warned in a new report this week that the development of IoT “will present opportunities for specific areas of criminal and law enforcement exploitation.” It added that IoT devices “represent the greatest emerging botnet threat.”

The first products to achieve the kitemark are expected to land in the summer.